Skip to main content

Concept

Infisical lets you build your Internal PKI through a Private Certificate Authority (CA) hierarchy, enabling you to issue and manage digital certificates for your end-entities.

Workflow

A typical workflow for setting up a Private CA hierarchy consists of the following steps:
  1. Configuring an Infisical root CA with details like name, validity period, and path length — This step is optional if you wish to use an external root CA with Infisical only serving the intermediate CAs.
  2. Configuring and chaining intermediate CA(s) with details like name, validity period, path length, and imported certificate to your Root CA.
  3. Managing the CA lifecycle events such as CA succession.
Note that this workflow can be executed via the Infisical UI or manually such as via API. If manually executing the workflow, you may have to create a Certificate Signing Request (CSR) for the intermediate CA, create an intermediate certificate using the root CA private key and CSR, and import the intermediate certificate back to the intermediate CA as part of Step 2.

Guide to Creating a CA Hierarchy

In the following steps, we explore how to create a simple Private CA hierarchy consisting of an (optional) root CA and an intermediate CA.
1

Creating a root CA

If you wish to use an external root CA, you can skip this step and head to step 2 to create an intermediate CA.To create a root CA, head to your Certificate Management Project > Certificate Authorities > Internal Certificate Authorities and press Create CA.pki create caHere, set the CA Type to Root and fill out details for the root CA.pki create root caHere’s some guidance for each field:
  • Valid Until: The date until which the CA is valid in the date time string format specified here. For example, the following formats would be valid: YYYY, YYYY-MM, YYYY-MM-DD, YYYY-MM-DDTHH:mm:ss.sssZ.
  • Path Length: The maximum number of intermediate CAs that can be chained to this CA. A path of -1 implies no limit; a path of 0 implies no intermediate CAs can be chained.
  • Key Algorithm: The type of public key algorithm and size, in bits, of the key pair that the CA creates when it issues a certificate. Supported key algorithms are RSA 2048, RSA 4096, ECDSA P-256, and ECDSA P-384 with the default being RSA 2048.
  • Name: A slug-friendly name for the CA.
  • Organization (O): The organization name.
  • Country (C): The country code.
  • State or Province Name: The state or province.
  • Locality Name: The city or locality.
  • Common Name: The name of the CA.
The Organization, Country, State or Province Name, Locality Name, and Common Name make up the Distinguished Name (DN) or subject of the CA. At least one of these fields must be filled out.
2

Creating an intermediate CA

To create an intermediate CA, press Create CA again but this time specifying the CA Type to be Intermediate. Fill out the details for the intermediate CA.pki create intermediate caNext, press the Install CA Certificate option on the intermediate CA.pki install cert optYou will be presented with the installation method selector. Choose how the signing certificate for this CA should be issued:pki install select method
Select Infisical CA and press Continue. This option chains the intermediate CA to a root or intermediate CA managed by Infisical.Set the Parent CA to the root CA created in step 1 (or any other existing root or intermediate CA) and configure the intended Valid Until and Path Length fields on the intermediate CA; feel free to use the prefilled values.pki install infisical caHere’s some guidance on each field:
  • Parent CA: The parent CA to which this intermediate CA will be chained. In this case, it should be the root CA created in step 1.
  • Valid Until: The date until which the CA is valid in the date time string format specified here. The date must be within the validity period of the parent CA.
  • Path Length: The maximum number of intermediate CAs that can be chained to this CA. The path length must be less than the path length of the parent CA.
Press Install to chain the intermediate CA to the root CA. This creates a Certificate Signing Request (CSR) for the intermediate CA, creates an intermediate certificate using the root CA private key and CSR, and imports the signed certificate back to the intermediate CA.pki casYou’ve successfully created a Private CA hierarchy with a root CA and an intermediate CA. Now check out the Certificates section to learn more about how to issue X.509 certificates using the intermediate CA.

Guide to CA Renewal

In the following steps, we explore how to renew a CA certificate.
  • If renewing an intermediate CA chained to an Infisical CA, Infisical will automate the process of generating a new certificate for you.
  • If renewing an intermediate CA signed by an external CA provider (e.g., Venafi, Azure AD CS), you can configure auto-renewal to automate the process. See Venafi auto-renewal or AD CS auto-renewal.
  • If renewing an intermediate CA chained to an external parent CA via manual import, you’ll need to generate a new certificate from the external parent CA and manually import it back.
Head to the CA Page of the CA you wish you renew and press Renew CA on the left side. pki ca renewal page Input a new Valid Until date to be used for the renewed CA certificate and press Renew to renew the CA. pki ca renewal. modal
The new Valid Until date must be within the validity period of the parent CA.

FAQ

Infisical supports RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384 key algorithms specified at the time of creating a CA.
At the moment, Infisical only supports CA renewal via same key pair. We anticipate supporting CA renewal via new key pair in the coming month.
Yes. You can either manually obtain a CSR and import the signed certificate, or use an integrated external CA provider like Venafi TLS Protect Cloud or Azure AD CS to automate the signing process.